From owner-freebsd-security  Wed Nov 29  6: 5: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107])
	by hub.freebsd.org (Postfix) with ESMTP id 7B0B937B698
	for <freebsd-security@freebsd.org>; Wed, 29 Nov 2000 06:05:04 -0800 (PST)
Received: from netch@localhost
	by burka.carrier.kiev.ua  id QBY10919;
	Wed, 29 Nov 2000 16:05:01 +0200 (EET)
	(envelope-from netch)
Date: Wed, 29 Nov 2000 16:05:01 +0200 (EET)
Message-Id: <200011291405.QBY10919@burka.carrier.kiev.ua>
From: netch@carrier.kiev.ua (Valentin Nechayev)
To: freebsd-security@freebsd.org
Subject: Re: bash vulnerability
User-Agent: tin/1.4.1-19991201 ("Polish") (UNIX) (FreeBSD/3.5-STABLE (i386))
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>> > The bash seems vulnerable to the symlink attack as well:
>> > http://www.securityfocus.com/bid/2006

Part of ktrace of bash-2.03 from port:

  9820 bash     CALL  open(0xbfbfd548,0xe01,0x180)
  9820 bash     NAMI  "/tmp/t9820-0-sh"
  9820 bash     RET   open 3

Here, O_EXCL|O_CREAT|O_TRUNC is seen => not vulnerable to symlink
attack. But later, it closes the file and reopens it:

  9820 bash     CALL  dup(0x3)
  9820 bash     RET   dup 4
[...]
  9820 bash     CALL  write(0x4,0x811b00c,0x44)
  9820 bash     GIO   fd 4 wrote 68 bytes
       "Only root can create /etc/nologin.
        Do any boot-time scripts use sh?
       "
  9820 bash     RET   write 68/0x44
  9820 bash     CALL  close(0x4)
  9820 bash     RET   close 0
  9820 bash     CALL  close(0x3)
  9820 bash     RET   close 0
  9820 bash     CALL  open(0xbfbfd548,0,0x180)
  9820 bash     NAMI  "/tmp/t9820-0-sh"
  9820 bash     RET   open 3
  9820 bash     CALL  unlink(0xbfbfd548)
  9820 bash     NAMI  "/tmp/t9820-0-sh"
  9820 bash     RET   unlink 0

hence, the race condition exists when file can be changed in these
few microseconds between close & open ;|

>> Where have you seen bash or FreeBSD?

RS> Installed from /usr/ports/shells/bash2 (or bash1).
RS> I don't know if the shipping /bin/sh is vulnerable.

No, it is not: it forks, and child pipes here-document to parent.


/netch


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message